Spring Boot Actuator Endpoints安全性不适用于自定义Spring Security配置

本文介绍了Spring Boot Actuator Endpoints安全性不适用于自定义Spring Security配置的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

这是我的Spring Boot 1.5.1 Actuator application.properties ：

This is my Spring Boot 1.5.1 Actuator application.properties:

#Spring Boot Actuator management.contextPath: /actuator management.security.roles=R_0

这是我的 WebSecurityConfig ：

@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Value("${logout.success.url}") private String logoutSuccessUrl; @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class); http .csrf().ignoringAntMatchers("/v1.0/**", "/logout") .and() .authorizeRequests() .antMatchers("/oauth/authorize").authenticated() //Anyone can access the urls .antMatchers("/signin/**").permitAll() .antMatchers("/v1.0/**").permitAll() .antMatchers("/auth/**").permitAll() .antMatchers("/actuator/health").permitAll() .antMatchers("/actuator/**").hasAuthority("R_0") .antMatchers("/login").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll() .and() .logout() .logoutUrl("/logout") .logoutSuccessUrl(logoutSuccessUrl) .permitAll(); // @formatter:on } /** * Configures the authentication manager bean which processes authentication requests. */ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder()); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } }

现在我已经成功了使用具有 R_0 权限的合适用户登录我的应用程序，但是当我尝试访问时，例如

Right now I'm successfully able to login in my application with a right user that has R_0 authorities but when I trying to access for example

localhost:8080/api/actuator/beans

我收到以下错误：

There was an unexpected error (type=Forbidden, status=403). Access is denied. User must have one of the these roles: R_0

如何正确配置Spring Boot Actuator以便了解正确的身份验证？

How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication ?

现在为了让它工作，我必须做以下诀窍：

Right now in order to get it workin I have to do the following trick:

management.security.enabled=false .antMatchers("/actuator/health").permitAll() .antMatchers("/actuator/**").hasAuthority("R_0")

是否有机会以正确的方式配置执行器？

Is any chance to configure Actuator in a right way ?

更新

我正在使用 UserDetailsS​​ervice.UserDetails.Authorities

public Collection<? extends GrantedAuthority> getAuthorities() { String[] authorities = permissions.stream().map(p -> { return p.getName(); }).toArray(String[]::new); return AuthorityUtils.createAuthorityList(authorities); }

推荐答案

你必须使用前缀<您的 management.security.roles 的code> ROLE _ 例如 management.security.roles = ROLE_SOMENAME 为了解决这个问题

You have to use prefix ROLE_ for your management.security.roles for example management.security.roles=ROLE_SOMENAME in order to solve this issue